How do you handle SOC 2 / PCI-DSS evidence collection for Kafka?
Genuinely curious how teams here approach this.
For context, I've been spending a lot of time on the audit side of Kafka — SOC 2, PCI-DSS, ISO 27001 — and the recurring pain seems to be:
Inventory: nobody's quite sure how many topics, clusters, or principals exist
ACL audit: someone granted User:* during an incident a year ago and nobody undid it
Inter-broker TLS: enabled on the dev cluster, mysteriously not on prod
Audit logs: enabled, but no retention policy, so the auditor's "who consumed from this topic last quarter" question can't be answered
Some questions I'd love to hear answers to from this community:
- Do you run a pre-audit checklist? If yes, manual or automated?
- How do you prove inter-broker is encrypted, in writing, to an auditor?
- What's your strategy for ACL drift? (Periodic review? Diff against IaC?)
- Has anyone tied control evidence to CI/CD — i.e., the build won't merge if compliance breaks?
I work on an open-source project in this space (KafkaGuard) but I'm asking because the *questions* keep coming up identically across teams and I'd like to know what's working in the wild — tools, scripts, processes, anything.
Will share aggregated patterns from the replies if there's enough discussion.